堆栈内存溢出
  简体   繁体   English

有人可以从我的服务器外访问我的数据库吗?

[英]Can someone access my database from outside my server?

 原文  2012-04-22 17:14:50       php/ database/ security

问题描述

I was trying to " google hack " my site to see what happened (I recently read about it), I googled for site:www.x.com intitle:"index of" "server at" + db . 我试图“ 谷歌黑客 ”我的网站,看看发生了什么(我最近读到了它),我搜索site:www.x.com intitle:"index of" "server at" + db

And found a .inc file in the three directory. 并在三个目录中找到了一个.inc文件。 

<?php 
    class clsSettings
    { 
        var $site   = "localhost"; 
        var $sitedb = "x"; 
        var $siteuser = "x"; 
        var $sitepass     = "x";
    } /* settings */
?>

Can someone access my database from outside my server? 有人可以从我的服务器外访问我的数据库吗?

Should I be worried about this sensitive info exposure? 我应该担心这种敏感的信息曝光吗?

Note: I removed sensitive info with X s. 注意:我使用X s删除了敏感信息。

2 个解决方案

解决方案1
 3  2012-04-22 17:19:14

That's why you don't name your PHP files anything other than .php . 这就是为什么你没有将.php以外的任何文件命名为.php You can configure the server to parse .inc files, or any file extension, as PHP if you wanted, but this isn't a common configuration, especially on shared servers. 可以将服务器配置为根据需要将.inc文件或任何文件扩展名解析为PHP,但这不是常见配置,尤其是在共享服务器上。

If you can see the contents of your files that contain your password, then so can the rest of the world. 如果您可以看到包含密码的文件内容,那么世界其他地方也可以。 Also, Aziz's comment about changing robots.txt does not help you at all. 此外,Aziz关于更改robots.txt的评论对你没有任何帮助。 In fact, you can call attention to the things you are hiding this way, as anyone trying to get into your site won't follow the rules within robots.txt. 事实上,您可以通过这种方式提醒您注意隐藏的内容,因为任何试图访问您网站的人都不会遵循robots.txt中的规则。

It is also common to not allow automatic directory indexing, unless you need it for some specific reason. 除非由于某些特定原因需要它,否则通常不允许自动目录索引。

解决方案2
 1  2012-04-22 17:23:21

I trust you fixed this issue by renaming the file extension to .php. 我相信您通过将文件扩展名重命名为.php来解决此问题。

Execute this command with a new password on your server (ie though SSH): 在服务器上使用新密码执行此命令(即通过SSH): 

mysqladmin -u root -p 'oldpassword' password newpass

Then change the password of all the referenced PHP files. 然后更改所有引用的PHP文件的密码。

Also you may want to create a "Robot trap" to stop bots that do not follow your robots.txt file, see http://www.fleiner.com/bots/#trap for more info. 此外,您可能需要创建一个“机器人陷阱”来停止不遵循robots.txt文件的机器人,有关详细信息,请参阅http://www.fleiner.com/bots/#trap However note that this is a weak protection mesure. 但请注意,这是一种弱保护措施。

Also you can add this to your .htaccess in the WWW root to stop directory listings: 您也可以将其添加到WWW根目录中的.htaccess以停止目录列表: 

Options -Indexes

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法访问我服务器上的数据库 - Can't access database on my server 有人可以从服务器外部知道目录中的文件吗? - Can someone know the files inside a directory from outside the server? 使用共享托管并且无法访问外部Webroot时,如何保护数据库凭据? - How can I secure my database credentials when using shared hosting and no access to outside the webroot? 如何将我的 WAMP 放到网上供他人访问? - How can I put my WAMP online for someone to access? 如何使用本地IP地址而不是localhost访问数据库mysql服务器 - How can I access my database mysql server using my local ip address instead of using localhost 如何在cpanel服务器中访问我的数据库? - how to access my database in cpanel server? 无法从本地MAMP服务器访问我的Wordpress - Can't access my wordpress from local MAMP server 无法从本地网络上的 web 服务器访问 localhost - Can't access localhost from a web server on my local network 如何从其他计算机访问我的本地主机服务器? - How can I access my localhost server from other computers? 无法从本地主机的数据库中获取数据 - Can't fetch data from my database,localhost server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM